My guess would be that there is a conditional statement somewhere that is causing session_start() (http://php.net/manual/en/function.session-start.php) to be skipped, or there is a similar logic failure

My guess would be that there is a conditional statement somewhere that is causing session_start() to be skipped, or there is a similar logic failure that is omitting a step that is expected to set a value in the session array.

I don't see anything obviously wrong, and the scripts do not appear to be testable, so I'll just try to give you the general advice, although it's probably restating the article.

Go into all of these scripts and make session_start() be the first executable instruction. First instruction in all of them, no excuses, Even if all the script does is produce some HTML, put <?php session_start(); ?> on the first line.

You might also try this experiment. I have never seen a correctly configured server that fails this test - the number always increments when you tell it to increment. If this fails, then your hosting company needs to come to your rescue.

On payment.php it was NOT at the top, I just put it there & tested again, no change.

The echos's in payment_step2.php show BOTH the session variables blank.

I have a plan "B", I can build a database table & let the captcha put the value in there with a random key I give to it, etc., & pass the key as a hidden form field to the processing page, but what a bunch of crap.

As I have stated several times, when I use the program (attached to the original post) pmnt_test.php, it passes the session variables just fine. It even did that BEFORE I moved session_start() to the top.

Richard, there is no magic to sessions. It's just a matter of getting it right. After correcting a number of errors and converting 'payment.php' to long open tags instead of short and moving the test $_SESSION variables to the top of 'payment-step2.php' (note the '-' instead of '_') so I didn't have to mess with the rest of the code there, the $_SESSION variables showed up as they should.

This may be completely unrelated but you might want to stop using the short-open tags. Short-echo tags are preserved, but short-open tags are being removed from PHP.

To give an example, use this: <?php and do not use this: <?

Also, please clarify... The last script named pmnt-test.php -- there is no PHP and therefore no session_start() statement in this script? Any reason why not? I don't really know whether this is a problem or not, but when I'm dealing with PHP scripts it makes sense to make all of them PHP scripts and do the initialization in all of the scripts.

The session variable is created by captcha.php. Where it says <img src='captcha.php />

Maybe that's part of the problem? If you look in the code of captcha.php..........

I'm aware of the short tags. ALL this code except the test program pmnt_test.php I have acquired from other sources. In fact, payment_step2.php is from Authorize.net, modified (by the original developer) slightly to include the captcha stuff.

captcha.php is from the author of that. I downloaded it today because the other captcha was not working (probably because of the session issue).

In my testing, I changed all the short tags to long tags and 'captcha.php' worked fine. Because I had no need to go thru all the code in 'payment_step2.php', I just put this at the top of the page and it worked fine. It shows that the session_start() is working properly on that page.

Ok, we'll be here. Just know that $_SESSIONS works and it basically works in the code that you posted. I have yet to see a server that sessions do not work on. Although... I vaguely recall one instance where the PHP session.save_path was either not configured or not write-able. That would cause the variables to no be saved.

Featured Post

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Part of the Global Positioning System
A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…

Nothing in an HTTP request can be trusted, including HTTP headers and form data. A form token is a tool that can be used to guard against request forgeries (CSRF). This article shows an improved approach to form tokens, making it more difficult to…